ISO 27001:2022.

ISMS Requirements and Information security controls

5. Organizational controls 6. People controls 8. Technological controls
5.1. Policies for information security 6.1. Screening 8.1. User endpoint devices
5.2. Information security roles and responsibilities 6.2. Terms and conditions of employment 8.2. Privileged access rights
5.3. Segregation of duties 6.3. Information security awareness, education and 8.3. Information access restriction
5.4. Management responsibilities training 8.4. Access to source code
5.5. Contact with authorities 6.4. Disciplinary process 8.5. Secure authentication
5.6. Contact with special interest groups 6.5. Responsibilities after termination or change of 8.6. Capacity management
5.7. Threat intelligence employment 8.7. Protection against malware
5.8. Information security in project management 6.6. Confidentiality or non-disclosure agreements 8.8. Management of technical vulnerabilities
5.9. Inventory of information and other associated assets 6.7. Remote working 8.9. Configuration management
5.10. Acceptable use of information and other associated assets 6.8. Information security event reporting 8.10. Information deletion
5.11. Return of assets 8.11. Data masking
5.12. Classification of information 7. Physical controls 8.12. Data leakage prevention
5.13. Labelling of information 7.1. Physical security perimeter 8.13. Information backup
5.14. Information transfer 7.2. Physical entry 8.14. Redundancy of information processing facilities
5.15. Access control 7.3. Securing offices, rooms and facilities 8.15. Logging
5.16. Identity management 7.4. Physical security monitoring 8.16. Monitoring activities
5.17. Authentication information 7.5. Protecting against physical and environmental threats 8.17. Clock synchronization
5.18. Access rights 7.6. Working in secure areas 8.18. Use of privileged utility programs
5.19. Information security in supplier relationships 7.7. Clear desk and clear screen 8.19. Installation of software on operational systems
5.20. Addressing information security within supplier 7.8. Equipment siting and protection 8.20. Network security
agreements 7.9. Security of assets off-premises 8.21. Security of network services
5.21. Managing information security in the ICT supply chain 7.10. Storage media 8.22. Segregation of networks
5.22. Monitoring, review and change management of supplier 7.11. Supporting utilities 8.23. Web filtering
services 7.12. Cabling security 8.24. Use of cryptography
5.23. Information security for use of cloud services 7.13. Equipment maintenance 8.25. Secure development life cycle
5.24. Information security incident management planning and 7.14. Secure disposal or re-use of equipment 8.26. Application security requirements
preparation 8.27. Secure system architecture and engineering
5.25. Assessment and decision on information security events ISMS Requirements (ISO 27001) principles
5.26. Response to information security incidents 4. Context of the organization 8.28. Secure coding
5.27. Learning from information security incidents 4.1 Understanding the organization and its context / 4.2 Understanding the needs and expectations of
interested parties / 4.3 Determining the scope of the ISMS / 4.4 ISMS 8.29. Security testing in development and
5.28. Collection of evidence 5. Leadership acceptance
5.29. Information security during disruption 5.1 Leadership and commitment / 5.2 Policy / 5.3 Organizational roles, responsibilities and authorities
8.30. Outsourced development
5.30. ICT readiness for business continuity 6. Planning 8.31. Separation of development, test and
6.1 Actions to address risks and opportunities / 6.2 Information security objectives and planning to achieve
5.31. Legal, statutory, regulatory and contractual requirements them / 6.3 Planning of changes production environments
5.32. Intellectual property rights 7. Support 8.32. Change management
7.1 Resources / 7.2 Competence / 7.3 Awareness / 7.4 Communication / 7.5 Documented information
5.33. Protection of records 8. Operation 8.33. Test information
5.34. Privacy and protection of PII 8.1 Operational planning and control / 8.2 Information security risk assessment / 8.3 Information security 8.34. Protection of information systems during audit
risk treatment
5.35. Independent review of information security testing
9. Performance evaluation
5.36. Compliance with policies, rules and standards for 9.1 Monitoring, measurement, analysis and evaluation / 9.2 Internal audit / 9.3 Management review

information security 10. Improvement *New controls, 2022

5.37. Documented operating procedures 10.1 Continual improvement / 10.2 Nonconformity and corrective action

by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 - www.patreon.com/AndreyProzorov Control: measure that maintains and/or modifies risk